ContextQMD
Back to Firezone

Route Traffic Through a Public IP

website/src/app/kb/use-cases/nat-gateway/readme.mdx

1.0.52.7 KB
Original Source

import SupportOptions from "@/components/SupportOptions"; import Link from "next/link"; import Alert from "@/components/DocsAlert"; import Image from "next/image"; import PlanBadge from "@/components/PlanBadge";

<PlanBadge plans={["starter", "team", "enterprise"]}>

Route Traffic Through a Public IP

</PlanBadge>

In this guide, we'll walk through the configuration required to use Firezone to route traffic through a public IP address, sometimes known as a NAT Gateway configuration.

Use this when you need your team's traffic to appear to come from a single, static IP address to use services that require source traffic to come from specified IP allowlists.

After completing this guide, your team's traffic will be routed to a Firezone Gateway and then out to the internet using its public IP address.

<Alert color="info"> See our our [Terraform examples](/kb/automate/terraform) for a high availability example of this guide using Terraform on Google Cloud Platform. </Alert>

Prerequisites

  • A Site reserved for this use case. Create a Site if you haven't already.
  • One or more Gateways deployed within the Site. Deploy a Gateway if you haven't done so yet.
<Alert color="warning"> This guide assumes the Gateway has a public IP attached. This is required to function as a NAT gateway. </Alert>

Step 1: Create Resource(s) matching the traffic you want to route

  1. In your admin portal, go to Sites -> <site> and click the Add Resource button.
  2. Add Resource(s) for each service that requires an IP allowlist. For example, if you need traffic to *.gitlab.company.com to appear to come from your Gateway's public IP address, you would enter *.gitlab.company.com as the Resource address.
  3. Optionally, add a Resource with address ifconfig.net to the Site as well. This will be used later to verify that your traffic is being routed through the Gateway's public IP.

Step 2: Create Policies

  1. In the Policies tab, click the Add Policy button.
  2. Create a Policy for each of the Resources you created in Step (1). Be sure to select the appropriate Group and Resource for each Policy.

Step 3: Done!

That's it!

If you added the ifconfig.net Resource above, you can verify that your traffic is being routed through the Gateway by visiting https://ifconfig.net in your browser and ensuring the IP displayed matches the public IP address of your Gateway.

<Link href="/images/kb/use-cases/nat-gateway/verify.png" target="_blank" rel="nofollow" > <Image src="/images/kb/use-cases/nat-gateway/verify.png" alt="Verify traffic is routed through the Gateway" width={1200} height={1200} /> </Link> <SupportOptions />